How CloudFlare and ReCaptcha are ruining the net (and what to do)

Everyone has suffered that annoying moment when CloudFlare serves them a Google ReCaptcha. Often, the captcha can be a little tricky - resulting in failure and multiple attempts. If you are particularly unlucky, you could be asked to click images of traffic lights, street signs, or zebra crossings - up to five times - before Google’s ReCaptcha finally accepts that you are human. This is totally infuriating and a massive waste of time. And, believe it or not, it may actually be being imposed on people unnecessarily to help train up Google’s machine learning systems.

What is a CAPTCHA?

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Captcha systems were originally proposed in 1997 to spot malicious online bots. The internet is full of bots (automated systems) that attempt to access websites and services, primarily to malevolent ends.

Bots help spread malware, carry out DDoS attacks, send bucketloads of spam, steal people’s credentials, log into services to make fraudulent purchases and perform many other nefarious online activities.

reCaptcha was acquired by Google in 2009 and has gone on to become the most popular flavor of the bot-busting captcha system.

CloudFlare and ReCaptcha - why the pain?

CloudFlare is a content delivery network (CDN) that provides services for around 7% of websites around the world. It is one of the largest global CDN and its network has a massive number of connections to Internet exchange points. CloudFlare’s primary job is to speed up how long it takes for websites to load.

However, CloudFlare also performs DDoS protection (and other website security services) by flagging up IP addresses that it believes are bots. When an IP address is flagged up as a potential bot, people using that particular IP are forced to fill in a ReCaptcha.

Under certain circumstances consumers are forced to fill in a ReCaptcha multiple times; sometimes for several minutes at a time. So why is this the case? And, is Google’s ReCaptcha broken?

The answer to this question is quite complex. But, in a nutshell, when you fill in Google’s ReCaptcha you aren’t just having to jump through hoops to help stop bad robots - you are also helping train Google’s machine learning algorithms (and saving Google a ton of money by becoming a temporary Google employee).

Why am I being singled-out to fill in a reCaptcha?

If you are using the internet at home and you aren’t doing anything out of the ordinary, you shouldn't need to fill in a reCaptcha very often. Most people are only prompted with a captcha when they attempt to buy something. This stops bots from brute-forcing passwords or committing fraudulent purchases (or multiple purchases). What’s more, most of the time a captcha should be as easy as clicking on “I’m not a robot”.

However, people who use public WiFi in hotels and coffee shops may find that they are served a ReCaptcha much more often. This is due to the large number of people using the internet from that specific location - sometimes leading to an IP address being blacklisted by CloudFlare for problematic behaviors.

If an internet user’s activities cause CloudFlare to flag a public WiFi IP, everyone using that WiFi hotspot will suddenly find themselves having to fill in a lot of ReCaptcha requests. The system is temperamental and most internet users agree that CloudFlare has overly aggressive firewall rules (that trip the ReCaptcha).

Why does CloudFlare let this happen?

Considering that CloudFlare’s job is to speed up page load times, it seems fair to question why the world’s largest CDN is letting Google ruin the internet in this way.

To its credit, CloudFlare’s use of reCaptcha is not particularly suspicious. ReCaptcha is considered “the leading CAPTCHA service,” because, nowadays, reCaptcha is meant to work in an “invisible” manner.

In practice, this isn’t always the case. With so many people experiencing frustration and problems due to ReCaptcha, one would hope that CloudFlare would use its considerable influence to kick up more of a fuss (especially considering that CloudFlare’s CEO knows Google’s CEO personally).

This becomes all the more urgent, if internet users are being (unfairly) made to jump through extra hoops to help Google train up its automated systems. CloudFlare, please do something, for goodness’ sake!

The reCaptcha solution: A VPN

People who are sick of encountering CloudFlare's implementation of reCaptcha can use a Virtual Private Netork (VPN) to combat the problem. A VPN allows anybody to conceal their real IP address in order to stop CloudFlare detecting their blacklisted IP address.

If you are wondering whether the IP address you are using is blacklisted, you can check it by:

If the IP address says something like: “The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail server and dictionary attacker”, a VPN could indeed help. Another option is to ask for it to be whitelisted.

If you are not using a VPN and are experiencing a lot of reCaptcha requests, the best thing to do is to subscribe to a well-known premium VPN service. All of the recommended VPNs are known to help solve the annoying CloudFlare reCaptcha problem.

If you are currently using a VPN, but are still experiencing a lot of reCaptcha requests, it is worth trying to connect to a different server. This is because it is probable that only that one VPN server is affected. If the problem persists, please contact your VPN provider. If your VPN provider can’t help, you may need to switch to one of our recommended providers.

Why are VPN servers blacklisted by CloudFlare?

The majority of the time, CloudFlare will have blacklisted an IP address belonging to a VPN because one of the VPN’s customers has used the IP address to spam people or perform some other blacklisted activity.

VPNs have rules in place that ask their subscribers not to perform malicious activities. However, sometimes subscribers take advantage of the VPN’s zero-logs policy by performing activities that are against the terms of service.

Is CloudFlare blocking VPNs on purpose?

It is worth noting that CloudFlare has launched its own VPN service called CloudFlare Access. This VPN is in direct competition with other commercial and corporate VPNs. It would therefore not be surprising if CloudFlare began blacklisting VPN IP addresses to encourage people to subscribe to its proprietary service instead.

Whether this is already occurring is not clear, but there have been reports of specific VPN users (such as Private Internet Access subscribers) being served a reCaptcha on a regular basis when their VPN is connected. Only time will tell, but, for now, CloudFlare doesn’t seem particularly motivated to save the day.

Digital privacy expert with 4+ years experience testing and reviewing VPNs. He's been quoted in The Express, Barrons, the Scottish Herald, ThreatPost, CNET & many more. Ray is currently rated number 1 VPN authority by Agilience.com.

5 Comments

Huntsman

Hi Ray, I know of at least one web/domain owner who uses Cloudflare to block VPN users. Specifically NordVPN IS BEING BLOCKED. To add insult to injury, they block paying customers for both the Web/Domain owner AND a long term 2 year NordVPN paying customer. Requests to both the web/domain owner and NordVPN all fall on deaf ears !! So as far as I am concerned, using a VPN does not bypass or unblock these Cloudflare blocking problems. I was using the Cloudflare DNS 1.1.1.1 server, but that was no help, so I no longer use it or any of Cloudflare offerings. I will continue to use NordVPN (it's a good service) until my subscription runs out. If this problem isn't resolved by then, I will be forced to look for an alternative VPN provider who isn't using Cloudflare.. A sad state of affairs !

Laurent

Hi Ray, Cloudflare is NOT "the largest global CDN and its network" & does NOT have "the largest number of connections to Internet exchange points" With 20Tbps Cloudflare is actually: 75% smaller than Limelight 35Tbps+ Networks (see: http://short.laurentperche.com/pD8dj) 3 times smaller than Verizon's EdgeCast at 63 Tbps (see: http://short.laurentperche.com/DUpGi)

crowleyst replied to Laurent

Hi Laurent. Thanks for pointing that out, I have adjusted the article accordingly. I mistrusted a bogus source that I should have fact-checked. I really appreciate you challenging me on it to ensure that it is corrected, it is not my intention to spread disinformation. Thanks again.

douglas replied to Impressed

Hi Impressed, iOS is supposedly immune to IPv6 DNS leaks (see https://www.scribd.com/document/269210465/A-Glance-through-the-VPN-Looking-Glass-IPv6-Leakage-and-DNS-Hijacking-in-Commercial-VPN-clients), but IPv4 leaks can certainly happen. Any leaks should, however, be blocked by a good VPN app. The generic OpenVPN Connect (by OpenVPN Inc.) app does this if your custom app does not. Safari does not support WebRTC, so DNS leaks via WebRTC are not possible when using it. You may be interested in reading out Complete Guide to IP Leak Protection (https://proprivacy.com/guides/a-complete-guide-to-ip-leaks/).